[Freeipa-users] dirsrv access logs flooded from single connection id

[thierry bordaz]

On 06/29/2015 06:34 PM, Andrew E. Bruno wrote:
> On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote:
>> On 06/29/2015 10:13 AM, Andrew E. Bruno wrote:
>>> Our dirsrv access logs on our freeipa master server are getting flooded
>>> with this:
>>>
>>> [29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH
>>> base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0
>>> filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword
>>> gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid"
>>>
>>> [29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0
>>> tag=101 nentries=0 etime=0 notes=P
>>>
>>> All from the same conn=215758. Logs get rotated every minute.
>>>
>>> logconv.pl is showing
>>>
>>> Searches:     265803        (3322.54/sec) (199352.25/min)
>>>
>>>
>>> How can I figure out which ip address this query is coming from? Is
>>> there a way to fetch the ip using the connection id? conn=215758?
>> grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access*
>>
>> Unfortunately, if it has been rotated away, you won't be able to get the
>> information from the access log.
>>
> No luck .. looks like it has been rotated away. Any other thoughts?
>
> Is it correct to assume this is all coming from a single host? My
> thinking is that if I can kill the query coming from the host that it
> would solve the problem.
>
Hi,

This is looking like bug https://fedorahosted.org/389/ticket/48192.
Because a ldap client (likely SSSD ?) keeps sending page results 
requests although 0 entries are returned.
A condition for this is that the search has been abandonned but it is 
difficult to very this as the log file has rotated.

This is fixed in 6.7 and 7.1.z

thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150702/ebb7fd0b/attachment.htm>